grahamgilbert
commented
3 days ago The saml library we use is a third party one. Do you have any suggestions on how to remediate this?
Open tylerwhardy opened 3 days ago
grahamgilbert
commented
3 days ago The saml library we use is a third party one. Do you have any suggestions on how to remediate this?
tylerwhardy
commented
3 days ago It looks like it was fixed in the lib on this commit:
https://github.com/IdentityPython/djangosaml2/commit/b8399c90d0c4ccbb64f626e6b1892d29974282ce
Can you update to latest release for djangosaml2?
grahamgilbert
commented
3 days ago Pull requests happily accepted
In the saml2/login endpoint when using 3rd party SSO, the idp parameter is vulnerable to cross-site scripting injection due to insufficient input sanitization.
Proof of Concept: Visit the URL endpoint crypt.domain.com/saml2/login/?idp=<%2fscript><svg/onload=alert(origin)>
This will result in a XSS popup message indicating the attack worked.
This could be combined with data exfiltration Javascript or similar mechanisms to steal user data or session information.